Shulou(Shulou.com)06/01 Report--

Rong Teng network divider, also known as core network collector, is divided into fixed network collector and mobile signaling collector! The network shunt is the important basic equipment of the whole network security front-end network monitoring! We often hear about bypass, mirroring, traffic collection, DPI deep packet inspection, quintuple filtering and other related words in network security. Today, the network shunt will talk about TCP packet reorganization and session rules!

High density of network shunt takes into account 10G and 100G

I. basic concepts

Quad: source IP address, destination IP address, source port, destination port.

Quintuple: source IP address, destination IP address, protocol number, source port, destination port.

Six tuples: source MAC address, source IP address, source port number, destination MAC address, destination IP address, and destination IP address.

Seven tuples: source MAC address, source IP address, source port number, destination MAC address, destination IP address and destination IP address and protocol number.

Does the quintuple determine whether a session or a quad?

A quintuple is usually a collection of five quantities: source IP address, source port, destination IP address, destination port, and transport layer protocol number. For example, 192.168.0.1/10000/TCP/121.14.88.76/80 forms a quintuple. The meaning is that a terminal with IP address 192.168.1.1 communicates with the terminal with IP address 121.14.88.76 and port 80 through port 10000, using TCP protocol.

The quintuple can uniquely identify a session.

In the reorganization of TCP session, using the sequence number to determine the order of TCP messages can solve the problem of data packets arriving out of order and retransmission, and the TCP session can be restored by using two-dimensional linked list. The difficulty lies in solving the problems of multiple connections, disorderly arrival of IP packets and retransmission of TCP sessions.

Reason: TCP protocol is an important part of TCP/IP protocol family, and the reorganization of TCP data flow is the basis of the design and implementation of high-level protocol analysis system. TCP protocol is a connection-oriented reliable transmission protocol, while IP protocol in the lower layer of TCP is a message-oriented unreliable protocol, which brings problems: IP can not guarantee the reliable and sequential transmission of TCP messages. In order to solve this problem, TCP adopts sliding window mechanism, byte stream numbering mechanism and fast retransmission algorithm mechanism. This can ensure the reliable transmission of data.

A TCP session (TCP_Session_IDT) can be uniquely identified by a quad.

Use the HASH table to quickly find the located features, solve the problem of dealing with multiple TCP sessions at the same time, and quickly deal with the problems of multiple sessions.

In the TCP header, Sequence Number is an important parameter to judge whether the packet is retransmitted and out of order. When the TCP connection is just established, an initial SequenceNumber will be set for subsequent TCP transmissions. Each time a TCP packet containing valid data is transmitted, the SequenceNumber of the subsequent TCP packet will be modified in response. If the previous packet length is N, then the SequenceNumber of this packet is the previous packet SequenceNumber plus N. It is designed to ensure the sequential transmission of TCP data packets, and can effectively achieve the complete transmission of TCP data, especially when there is an error in data transmission.

The SYN algorithm for TCP to reorganize data files to write pointers is as follows:

File_Init_Write_Pointer= Init_Sequence Number + 1

File_write_Pointer= Current Sequence Number-File_init_Write_point

Check to see if there are holes in the TCP session to determine the session reorganization success, failure, and timeout.

TCP requires 3 handshakes to establish a connection and 4 handshakes to terminate a connection. This is because a TCP connection is full-duplex and each direction must be closed separately.

Rule 1: six tuples, the protocol number is TCP, it should be the only session.

4 tuples in the 2:TCP header of the rule

Which should be unique and not the only indication that there is a retransmission condition

Network shunt

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.